It was found that comments (lines starting with a hash) in
/etc/users.oath could prevent one-time-passwords (OTP) from
being invalidated, leaving the OTP vulnerable to replay attacks
(CVE-2013-7322).
_______________________________________________________________________